The `localsysop` setting is dangerous and allows an attack where an
attacker constructs a malicious webpage that makes a connection to
`localhost` on the appropriate port and then takes over the server.
Since the dev console can be used from `localhost` by default, this
would include the ability to run arbitrary code on the server computer.
Any server operator who browses the internet on the same computer
where she or he hosts the server (such as some small-time server
operators) would be vulnerable to having their computer taken
over merely by visiting any webpage on the internet under the
control of the attacker.
@@ -61,7 +61,7 @@ Once your server is up, you probably want to make yourself an Administrator (~)
The easiest way to become an Administrator is to create a file named `config/usergroups.csv` containing
To become an Administrator, create a file named `config/usergroups.csv` containing
@@ -73,16 +73,6 @@ Once you're an administrator, you can promote/demote others easily with the `/ad
Alternatively, if you do not want to use `config/usergroups.csv`, you can use the following method to become an Administrator. In your `config/config.js` file, you can set `exports.localsysop = true` and then any users who join from `127.0.0.1` will automatically become Administrators, even if they are unregistered.
If you are running Pokemon Showdown on a remote server (such as a VPS), you can still connect from `127.0.0.1` using an SSH tunnel:
ssh email@example.com -L 3000:127.0.0.1:8000 -N
Replace `user` by your user account on the remote computer and replace `example.com` by the host name of the remote computer. Replace `8000` by the port that the server is running on. You can then point your browser to `http://localhost-3000.psim.us` and it will connect to `example.com:8000`, but it will consider you to be connecting from `127.0.0.1`, so you will become an Administrator.